Cloning an OCI Vault secured PDB - Part II

Sven Illert -

Last year I tried to duplicate a TDE encrypted pluggable database from one Exadata Cloud Machine to another into a separate CDB which is not a standby system of the first one. Normally this is not a big problem, because you can copy over the encryption key(s) from the source within the clone command. But that does not work when your encryption keys are stored in the OCI Vault service. Just for refresh, this is the error you’ll get if you try.

ORA-46659: master keys for the given PDB not found
1.     00000 - "master keys for the given PDB not found"
*Cause: The master keys for the specified pluggable database (PDB) could not
be retrieved.
*Action: Check if the master keys were generated for the specified PDB and
retry the command.

Also if you try to export the key from the Vault service you’ll fail miserably. But that is one of the reasons to use this service, because your encryption keys are much safer to use, even if you provide your own generated key material. My solution last time was to workaround the issue and switch back to a file based wallet so that the keys can be easily exported by the source database to the target. But that is not what you want to do in production environments.

There’s a much easier and better way to achieve the desired result which is probably not so obvious at first - at least it wasn’t for me and I bet you are smarter than me. But for sake of completeness I’d like to tell you what Oracle hinted me at to do instead. The solution is to add a secondary Vault key to the target database container. That can be achieved with the following command.

% dbaascli tde addSecondaryHSMKey --dbname TGTCDB --secondaryKmsKeyOCID ocid1.key.oc1.eu-frankfurt-1.xyz.mykeyrandomstring

When adding the key OCID of the encryption key containing the one for the source PDB, you can clone the database the way initially intented. This works because the target can use the key of the source to decrypt the datafiles.

create pluggable database tgtpdb from srcpdb@srcpdb keystore identified by "xxx";

HTH!